-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2025-58151 / XSA-478 version 2 varstored: TOCTOU issues with mapped guest memory UPDATES IN VERSION 2 ==================== Public release. ISSUE DESCRIPTION ================= varstored is a component of the Xapi toolstack handling UEFI Variables for a VM. It has a communication path with OVMF inside the VM involving mapping a buffer prepared by OVMF. Within varstored, there were insufficient compiler barriers, creating TOCTOU issues with data in the shared buffer. The exact vulnerable behaviour depends on the code generated by the compiler. In a build of varstored using default settings, the attacker can control an index used in a jump table. IMPACT ====== An attacker with kernel level access in a VM can escalate privilege via gaining code execution within varstored. VULNERABLE SYSTEMS ================== Only systems using the Xapi toolstack are potentially affected. Systems running all versions of varstored are potentially affected. x86 HVM guests which have been configured as UEFI VMs can leverage the vulnerability. x86 PV guests cannot leverage the vulnerability. A Xapi VM is configured for UEFI if the `HVM-boot-params` map contains `firmware=uefi`. e.g.: xe vm-param-list uuid=$UUID ... HVM-boot-params (MRW): firmware: uefi ... If `firmware` is set to `bios`, or is absent entirely (PV guests), then the guest cannot leverage the vulnerability. MITIGATION ========== There are no mitigations. CREDITS ======= This issue was discovered by Teddy Astie of Vates. RESOLUTION ========== Applying the attached patch resolves this issue. xsa478.patch varstored master $ sha256sum xsa478* 401679429e22e202fecf418c5100144ea0ee1cca3643f09960107cf3d88821db xsa478.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAml4qMEMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZp94IAKAafDWRsyB3vmmHsGG2cF3I1LFKQMzhtogNUu/w 7QrhNwmyI9tdIhtlPk4JC75L1Em+kDXHh+vNkQF97QeKq2IyuEYt+q2ko6sV/RTF Ewv0BhJJIiJCfyI/x55dz+YANOwsSOo7bZrSy1l/VgUJOdVKK5L1VtcloD57ZX2D A4r/rfZbJwx/vJ+Zp8R+W0on7SWS6h4am6M0+7f2swiJ2MpoEUwhSgFMmigOcdUc xbUo/IKOiQVNX2A6j+J5tQT6JlrXC/K8bIUwe2oDKRPG1qSMYAr2lKZ4GvoflUra ckCA0k520KHw+ZfuHhQq/TzIFaLVDnr1kfChYdPSX0jXtb0= =B9ua -----END PGP SIGNATURE-----